patch "staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data()." added to staging-linus

patch "staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data()." added to staging-linus

[gregkh]

This is a note to let you know that I've just added the patch titled

    staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().

to my staging git tree which can be found at
    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
in the staging-linus branch.

The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)

The patch will hopefully also be merged in Linus's tree for the
next -rc kernel release.

If you have any questions about this process, please let me know.


>From 920c92448839bd4f8eb87a92b08cad56d449caff Mon Sep 17 00:00:00 2001
From: Murray McAllister <murray.mcallister@insomniasec.com>
Date: Mon, 2 Jul 2018 13:07:28 +1200
Subject: staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().

Dan Carpenter reported an integer underflow issue in the rtl8188eu driver.
This is also needed for the length (signed integer) in rtl8723bs, as it is
later converted to an unsigned integer and used in a memcpy operation.

Original issue is at https://patchwork.kernel.org/patch/9796371/

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8723bs/core/rtw_ap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
index 45c05527a57a..faf4b4158cfa 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ap.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
@@ -1051,7 +1051,7 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf,  int len)
 		return _FAIL;
 
 
-	if (len > MAX_IE_SZ)
+	if (len < 0 || len > MAX_IE_SZ)
 		return _FAIL;
 
 	pbss_network->IELength = len;
-- 
2.18.0

Re: patch "staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data()." added to staging-linus

[Dan Carpenter]

On Mon, Jul 02, 2018 at 10:48:41AM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
> 
> to my staging git tree which can be found at
>     git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
> in the staging-linus branch.
> 
> The patch will show up in the next release of the linux-next tree
> (usually sometime within the next 24 hours during the week.)
> 
> The patch will hopefully also be merged in Linus's tree for the
> next -rc kernel release.
> 
> If you have any questions about this process, please let me know.
> 
> 
> >From 920c92448839bd4f8eb87a92b08cad56d449caff Mon Sep 17 00:00:00 2001
> From: Murray McAllister <murray.mcallister@insomniasec.com>
> Date: Mon, 2 Jul 2018 13:07:28 +1200
> Subject: staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
> 
> Dan Carpenter reported an integer underflow issue in the rtl8188eu driver.
> This is also needed for the length (signed integer) in rtl8723bs, as it is
> later converted to an unsigned integer and used in a memcpy operation.
> 
> Original issue is at https://patchwork.kernel.org/patch/9796371/
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

Greg, you gave me Reported-by credit for this but really Murray found it
on his own.  It was slightly confusing perhaps from the commit message.

regards,
dan carpenter

Re: patch "staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data()." added to staging-linus

[Greg KH]

On Tue, Jul 03, 2018 at 01:42:47PM +0300, Dan Carpenter wrote:
> On Mon, Jul 02, 2018 at 10:48:41AM +0200, gregkh@linuxfoundation.org wrote:
> > 
> > This is a note to let you know that I've just added the patch titled
> > 
> >     staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
> > 
> > to my staging git tree which can be found at
> >     git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
> > in the staging-linus branch.
> > 
> > The patch will show up in the next release of the linux-next tree
> > (usually sometime within the next 24 hours during the week.)
> > 
> > The patch will hopefully also be merged in Linus's tree for the
> > next -rc kernel release.
> > 
> > If you have any questions about this process, please let me know.
> > 
> > 
> > >From 920c92448839bd4f8eb87a92b08cad56d449caff Mon Sep 17 00:00:00 2001
> > From: Murray McAllister <murray.mcallister@insomniasec.com>
> > Date: Mon, 2 Jul 2018 13:07:28 +1200
> > Subject: staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
> > 
> > Dan Carpenter reported an integer underflow issue in the rtl8188eu driver.
> > This is also needed for the length (signed integer) in rtl8723bs, as it is
> > later converted to an unsigned integer and used in a memcpy operation.
> > 
> > Original issue is at https://patchwork.kernel.org/patch/9796371/
> > 
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Greg, you gave me Reported-by credit for this but really Murray found it
> on his own.  It was slightly confusing perhaps from the commit message.

Sorry about that, the commit message was confusing :(